Ubuntu
procps package

Can't upgrade procps in LXC 1.1

Bug #1419554 reported by William Grant
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Fix Released
High
Stéphane Graber
Precise
Fix Released
High
Stéphane Graber
Trusty
Fix Released
High
Stéphane Graber
Utopic
Fix Released
High
Stéphane Graber
Vivid
Fix Released
High
Stéphane Graber

Bug Description

== SRU ==
Rationale:
 sysctl now fails with current LXC as files which shouldn't be written to in containers are read-only. A previous fix applied to the EACCESS case as returned by apparmor.

Text case:
 start procps

Regression potential:
 All EROFS write failures will now be ignored (an error is still logged) but I can't think of a case where that'd be a bad thing.

Original bug report:

LXC 1.1 on vivid has started giving privileged containers a read-only /sys, which prevents Ubuntu's procps Upstart job from starting. This isn't normally too problematic, except that the weekend's procps SRU's postinst tries to start the job and causes the upgrade to fail.

Disabling the procps postinst makes apt usable again.

See original description
Revision history for this message
William Grant (wgrant) wrote :

root@wgrant-local-machine-1:/# tail /var/log/upstart/procps.log
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
sysctl: setting key "net.ipv4.conf.default.rp_filter": Read-only file system
sysctl: setting key "net.ipv4.conf.all.rp_filter": Read-only file system
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
sysctl: setting key "net.ipv6.conf.all.use_tempaddr": Read-only file system
sysctl: setting key "net.ipv6.conf.default.use_tempaddr": Read-only file system

Revision history for this message
Adam Conrad (adconrad) wrote :

Perhaps procps should guard the postinst start with a container check?

Revision history for this message
Stéphane Graber (stgraber) wrote :

I have an upstream fix for /proc/sys/net/* which should be writable in the container (tied to netns), the others still look to me as knobs that shouldn't be writable in a container and so having the procps return value be ignored in containers would seem like a reasonable fix to me.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Revision history for this message
James Ascroft-Leigh (jwal) wrote :

I'm getting exactly the same error scenario in a different environment. I've had a setup working for months with:

  - Ubuntu Trusty LTS host
  - Ubuntu Trusty LTS guest
  - Libvirt from Trusty
  - LXC from Trusty (--connect lxc://)

I use debootstrap and chroot to prepare the base filesystem then I boot using `virsh --connect lxc:// ...`. When I do `sudo apt-get dist-upgrade` I get a non-zero exit code from procps failing to start as above. Jenkins is not happy :(

Revision history for this message
James Ascroft-Leigh (jwal) wrote :

The following shell script seems to allow the installatoin to continue:

sudo dpkg-divert --add --rename --local --divert /sbin/sysctl.real /sbin/sysctl
cat << 'EOF' | sudo tee /sbin/sysctl
#!/bin/bash
/sbin/sysctl.real "$@"
echo "Warning: /sbin/sysctl exit code is being suppressed in this container"
exit 0
EOF
sudo chmod a+x /sbin/sysctl

Revision history for this message
Stéphane Graber (stgraber) wrote :

We have existing code in procps to ignore EACCES but not for EROFS, I'll be pushing updates to all series to sort that out.

affects: lxc (Ubuntu) → procps (Ubuntu)
description: updated
Revision history for this message
Stéphane Graber (stgraber) wrote :

Uploaded the fix to all series (after testing the fix on vivid).

Note that the problem is mostly visible on series which don't have procps-instance.conf as those that do will not fail on upgrade (but sysctl itself still fails).

To test the fix, it's best to run:
cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - && echo pass

Changed in procps (Ubuntu Precise):
assignee: nobody → Stéphane Graber (stgraber)
Changed in procps (Ubuntu Utopic):
assignee: nobody → Stéphane Graber (stgraber)
Changed in procps (Ubuntu Vivid):
assignee: nobody → Stéphane Graber (stgraber)
Changed in procps (Ubuntu Trusty):
assignee: nobody → Stéphane Graber (stgraber)
Changed in procps (Ubuntu Precise):
importance: Undecided → High
Changed in procps (Ubuntu Trusty):
status: New → In Progress
Changed in procps (Ubuntu Utopic):
status: New → In Progress
Changed in procps (Ubuntu Trusty):
importance: Undecided → High
Changed in procps (Ubuntu Utopic):
importance: Undecided → High
Changed in procps (Ubuntu Vivid):
importance: Undecided → High
Changed in procps (Ubuntu Precise):
status: New → In Progress
Changed in procps (Ubuntu Vivid):
status: Confirmed → Fix Committed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Note that I have a copy of those SRUs already in ppa:stgraber/experimental if that's useful to someone.

Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello William, or anyone else affected,

Accepted procps into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/procps/1:3.2.8-11ubuntu6.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in procps (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in procps (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello William, or anyone else affected,

Accepted procps into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/procps/1:3.3.9-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in procps (Ubuntu Utopic):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello William, or anyone else affected,

Accepted procps into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/procps/1:3.3.9-1ubuntu5.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Stéphane Graber (stgraber) wrote :

Change sent upstream: https://gitorious.org/procps/procps/merge_requests/37

Revision history for this message
Stéphane Graber (stgraber) wrote :

root@precise-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
error: "Read-only file system" setting key "kernel.printk"
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
error: "Read-only file system" setting key "kernel.kptr_restrict"
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
error: "Read-only file system" setting key "kernel.yama.ptrace_scope"
error: "Read-only file system" setting key "vm.mmap_min_addr"
fail

root@precise-procps:/root# ls
procps_3.2.8-11ubuntu6.4_amd64.deb
root@precise-procps:/root# dpkg -i procps_3.2.8-11ubuntu6.4_amd64.deb
(Reading database ... 13317 files and directories currently installed.)
Preparing to replace procps 1:3.2.8-11ubuntu6.3 (using procps_3.2.8-11ubuntu6.4_amd64.deb) ...
Unpacking replacement procps ...
Setting up procps (1:3.2.8-11ubuntu6.4) ...
procps stop/waiting
Processing triggers for ureadahead ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

root@precise-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
error: "Read-only file system" setting key "kernel.printk"
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
error: "Read-only file system" setting key "kernel.kptr_restrict"
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
error: "Read-only file system" setting key "kernel.yama.ptrace_scope"
error: "Read-only file system" setting key "vm.mmap_min_addr"
root@precise-procps:/root#

tags: added: verification-done-precise
removed: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

root@trusty-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
sysctl: setting key "kernel.printk": Read-only file system
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
fail

root@trusty-procps:/root# dpkg -i *.deb
(Reading database ... 14883 files and directories currently installed.)
Preparing to unpack libprocps3_3.3.9-1ubuntu2.2_amd64.deb ...
Unpacking libprocps3:amd64 (1:3.3.9-1ubuntu2.2) over (1:3.3.9-1ubuntu2.1) ...
Preparing to unpack procps_3.3.9-1ubuntu2.2_amd64.deb ...
initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart-session/201105/30780: Connection refused
Unpacking procps (1:3.3.9-1ubuntu2.2) over (1:3.3.9-1ubuntu2.1) ...
Setting up libprocps3:amd64 (1:3.3.9-1ubuntu2.2) ...
Setting up procps (1:3.3.9-1ubuntu2.2) ...
initctl: Unable to connect to Upstart: Failed to connect to socket /com/ubuntu/upstart-session/201105/30780: Connection refused
 * Setting kernel variables ... sysctl: setting key "kernel.printk": Read-only file system
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
                                                                                                                                                        [ OK ]
Processing triggers for ureadahead (0.100.0-16) ...
Processing triggers for libc-bin (2.19-0ubuntu6.5) ...

root@trusty-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
sysctl: setting key "kernel.printk": Read-only file system
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
root@trusty-procps:/root#

tags: added: verification-done-trusty
Revision history for this message
Stéphane Graber (stgraber) wrote :

root@utopic-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
sysctl: setting key "kernel.printk": Read-only file system
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
fail

root@utopic-procps:/root# dpkg -i *.deb
(Reading database ... 14399 files and directories currently installed.)
Preparing to unpack libprocps3_3.3.9-1ubuntu5.2_amd64.deb ...
Unpacking libprocps3:amd64 (1:3.3.9-1ubuntu5.2) over (1:3.3.9-1ubuntu5.1) ...
Preparing to unpack procps_3.3.9-1ubuntu5.2_amd64.deb ...
procps stop/waiting
Unpacking procps (1:3.3.9-1ubuntu5.2) over (1:3.3.9-1ubuntu5.1) ...
Setting up libprocps3:amd64 (1:3.3.9-1ubuntu5.2) ...
Setting up procps (1:3.3.9-1ubuntu5.2) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
procps start/running
Processing triggers for ureadahead (0.100.0-16) ...
Processing triggers for libc-bin (2.19-10ubuntu2.2) ...

root@utopic-procps:/root# cat /etc/sysctl.d/*.conf /etc/sysctl.conf | sysctl -e -p - || echo fail
sysctl: setting key "kernel.printk": Read-only file system
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
sysctl: setting key "kernel.kptr_restrict": Read-only file system
sysctl: setting key "fs.protected_hardlinks": Read-only file system
sysctl: setting key "fs.protected_symlinks": Read-only file system
sysctl: setting key "kernel.sysrq": Read-only file system
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
sysctl: setting key "kernel.yama.ptrace_scope": Read-only file system
sysctl: setting key "vm.mmap_min_addr": Read-only file system
root@utopic-procps:/root#

tags: added: verification-done-utopic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package procps - 1:3.3.9-1ubuntu8

---------------
procps (1:3.3.9-1ubuntu8) vivid; urgency=medium

  * ignore_erofs.patch: Same as ignore_eaccess but for the case where
    part of /proc is read/only. (LP: #1419554)
 -- Stephane Graber <email address hidden> Tue, 10 Feb 2015 13:53:27 -0500

Changed in procps (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package procps - 1:3.2.8-11ubuntu6.4

---------------
procps (1:3.2.8-11ubuntu6.4) precise; urgency=medium

  * ignore_erofs.patch: Same as ignore_eaccess but for the case where
    part of /proc is read/only. (LP: #1419554)
 -- Stephane Graber <email address hidden> Tue, 10 Feb 2015 13:42:15 -0500

Changed in procps (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for procps has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package procps - 1:3.3.9-1ubuntu2.2

---------------
procps (1:3.3.9-1ubuntu2.2) trusty; urgency=medium

  * ignore_erofs.patch: Same as ignore_eaccess but for the case where
    part of /proc is read/only. (LP: #1419554)
 -- Stephane Graber <email address hidden> Tue, 10 Feb 2015 13:51:14 -0500

Changed in procps (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package procps - 1:3.3.9-1ubuntu5.2

---------------
procps (1:3.3.9-1ubuntu5.2) utopic; urgency=medium

  * ignore_erofs.patch: Same as ignore_eaccess but for the case where
    part of /proc is read/only. (LP: #1419554)
 -- Stephane Graber <email address hidden> Tue, 10 Feb 2015 13:52:22 -0500

Changed in procps (Ubuntu Utopic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.